-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
do not silently truncate the key in openssl_encrypt() #9026
Comments
I think the problematic part is that we don't expose Thinking about it really, it's not such a problem because the password should always be a random value so if it is longer than used by cipher, it's not such a big issue except you saving extra data. So not sure if it's even worth it. |
Maybe a openssl_cipher_key_length() method like the pre-existing openssl_cipher_iv_length() ? Fwiw @iluuu1994 's PR looks like an improvement imo |
@divinity76 Just created a PR for addition of |
hmm @iluuu1994 you wanna make a |
It's done here: #9368 |
Why should @iluuu1994 make it too? 😄 |
@iluuu1994 made PR #9302 , so he seemed interested in the subject, i personally have a lot (too much) to do already, i can probably make it 27 august if nobody else has by then |
Closing as #9368 is merged now. I don't think we want to prevent the truncation as there are valid use cases for that. |
Description
Silently truncating keys in security-sensitive code/API's sounds horrible.
However, given PHP's commitment to backwards-compatibility, perhaps make truncation "deprecated" for a while, and make it throw in the future?
The following code:
Resulted in this output:
But I expected this output instead:
PHP Version
PHP 8.1.7
Operating System
Ubuntu 22.04
The text was updated successfully, but these errors were encountered: